The Bank of Queensland was found to have unfairly dismissed a branch manager who fell for a business email compromise (BEC)-like scam that cost the bank $30,000.
The bank argued the branch manager missed a series of red flags in emails sent from the hacked account of a BOQ customer and from email accounts used by the scammer.
However, some of the flags were neither obvious nor out-of-character with the customer’s regular communications, the Fair Work Commission wrote in a judgment published last month.
The scam emails initially came from the customer’s actual email address and - on the bank’s end - were threaded with legitimate emails.
In addition, an alleged lack of staff training on detecting and dealing with BEC scams was ruled as a contributing factor to the fraud taking place.
Business email compromise (BEC) occurs when criminals use email to abuse trust in business processes to scam organisations out of money or goods, according to the Australian Cyber Security Centre.
How the case unfolded
BOQ’s customer had taken out an owner/builder construction loan and was seeking to make a final drawdown of $37,500 from it.
The customer had previously expressed “dissatisfaction with BOQ” over the loan and how it had been handled.
“The evidence established that the customer had issues with the BOQ loan funds and his access to them,” the judgment states.
The bank’s Nambour branch manager was asked to complete the final loan payment.
The job would have normally fallen to a dedicated, trained lender, but Nambour had been without one since October 2019 and then only had access to a shared resource from January 2020.
The branch manager was coached through part of the process but had to perform other parts herself, according to the judgment.
Communication with the customer was done over email.
But midway through, and unbeknownst to the branch manager, the customer’s email account was compromised, and a scammer started emailing instead.
A staffer within BOQ’s financial crimes unit confirmed that “the first fraudulent email was actually sent from the customer’s email address, and ... there was nothing on the face of the first fraudulent email to indicate that it was being sent from an address other than the email address of the customer.”
Subsequent fraudulent emails were sent from email addresses attached to other domains - apparent from an examination of the email headers, but still not obvious to the recipient, and therefore not picked up.
The emails implored the branch manager to pay out the remaining loan to a CBA account.
The switch of the destination account led to the money being paid out to the fraudster; only $7000 was recovered.
BOQ contended the branch manager had not followed internal policies and that she also missed a series of “red flags” that may have led to the BEC scam being uncovered.
The “red flags” included:
- The language of the scam emails and the misspelling of CBA as “CommonWealth” on a scam invoice that was otherwise identical to the real thing
- A missing “Sent from Mail for Windows 10” label on the scam emails
- Fraudulent domain and authentication information
However, the Fair Work Commission also noted the customer himself made typos in previous emails.
In addition, the branch manager was effectively acting out of position, in a role she wasn’t trained for.
This was in part due to Covid-19, with the bank low on staff and dealing with a sizably increased workload.
The manager said the branch’s phones were “ringing off the hook”, and that staff also needed to make outbound calls to loan customers to offer financial relief.
“It was never my intention to do anything but assist [the owner/builder construction loan customer] with his final progress draw,” the branch manager wrote in a text-based account of the incident.
“Even though I am inexperienced in this area of final progress draws I took on the task with the sole purpose to provide a good outcome for the customer and the bank.
“To this day I am stunned that I have been tangled up in a scam and I would like to profusely apologise for my mistake.
“Never in my 15 years of employment have I acted without integrity or made a mistake that resulted in a financial loss to the bank.”
“In her normal process of work,” the judgment added, the branch manager “would not have thought that a customer’s email could be hacked.”
BOQ ultimately dismissed the branch manager, citing the incident and an unspecified “pattern of behaviour”.
The manager claimed the dismissal was unfair, and the Fair Work Commission agreed, ruling the branch manager “came close to crossing the line between carelessness and negligence” but ultimately did “not cross this line”.
Remedies - such as reinstatement or additional payment - are to be determined at a later hearing.
A BOQ spokesperson told iTnews that “BOQ has comprehensive and robust processes in place to protect the security of our customers."
"As the matter is still under the consideration of the commission, we are unable to comment further.”
